ArticlePDF Available

Intrusion detection systems using classical machine learning techniques vs integrated unsupervised feature learning and deep neural network

Authors:
Shisrut Rawat
Shisrut Rawat
Aishwarya Srinivasan at Columbia University
Aishwarya Srinivasan
Vinayakumar Ravi at Prince Mohammad University
Vinayakumar Ravi
Uttam Ghosh at Meharry Medical College
Uttam Ghosh
Download full-text PDF
Read full-text
Download citation

Abstract

Security analysts and administrators face a lot of challenges to detect and prevent network intrusions in their organizations, and to prevent network breaches, detecting the breach on time is crucial. Challenges arise while detecting unforeseen attacks. This work includes a performance comparison of classical machine learning approaches that require vast feature engineering, vs integrated unsupervised feature learning and deep neural networks on the NSL‐KDD dataset. Various trials of experiments were run to identify suitable hyperparameters and network configurations of machine learning models. The DNN using 15 features extracted using Principal Component analysis (PCA) was the most effective modeling method. The further analysis using the Software Defined Networking features also presented a good accuracy using Deep Neural network.
Content uploaded by Vinayakumar Ravi
Author content
All content in this area was uploaded by Vinayakumar Ravi on Nov 07, 2020
Content may be subject to copyright.
Received: 26 May 2020 Revised: 13 August 2020 Accepted: 18 August 2020
DOI: 10.1002/itl2.232
SPECIAL ISSUE ARTICLE
Intrusion detection systems using classical machine
learning techniques vs integrated unsupervised feature
learning and deep neural network
Shisrut Rawat1Aishwarya Srinivasan2Vinayakumar Ravi3Uttam Ghosh4
1Vellore Institute of Technology, Vellore,
India
2IBM, New York, New York
3Division of Biomedical Informatics,
Cincinnati Children’s Hospital Medical
Center, Cincinnati, Ohio
4Vanderbilt University, Nashville,
Tennessee
Correspondence
Aishwarya Srinivasan, IBM, New York,
10504, NY.
Email: aishgrt@gmail.com
Security analysts and administrators face a lot of challenges to detect and pre-
vent network intrusions in their organizations, and to prevent network breaches,
detecting the breach on time is crucial. Challenges arise while detecting unfore-
seen attacks. This work includes a performance comparison of classical machine
learning approaches that require vast feature engineering, vs integrated unsu-
pervised feature learning and deep neural networks on the NSL-KDD dataset.
Various trials of experiments were run to identify suitable hyperparameters and
network configurations of machine learning models. The DNN using 15 features
extracted using Principal Component analysis (PCA) was the most effective
modeling method. The further analysis using the Software Defined Networking
features also presented a good accuracy using Deep Neural network.
KEYWORDS
deep learning, dimensionality reduction, intrusion detection, machine learning, software defined
networking, unsupervised learning
1INTRODUCTION
With the era of digitization and the Internet of Everything where all devices are paired into a signal network of com-
munication, network attacks and endpoint attacks have splurged to a vast extent.1Cybersecurity involves techniques
and technologies to protect the device’s software network, and data from unauthorized and unauthenticated access, mal-
ware attacks and network attacks.2Multiple systems have been designed around each of these spaces targeting specific
detection and prevention methodology.3This paper revolves around network intrusion attacks, classical and rule-based
methods, recent advancements using machine learning and a proposal of a two-level model integrating unsupervised and
deep neural networks. The effectiveness of the network intrusion detection comes into play when apart from identifying
the known attacks; the system can detect inherited and new attacks. The thumb of rule-based network intrusion detection
system (NIDS) are broadly classified into misuse-based or signature-based (SNIDS), anomaly-based (ANIDS) and ensem-
ble methods.4In signature-based NIDS the attack signatures are hardcoded and matching of these patterns is performed
for incoming traffic to catch any abnormal traffic in the network. In, anomaly-based NIDS abnormal traffic is flagged; it
is well designed for the recognition of new patterns of abnormal traffic. It is one of the most efficient to detect zero-day
attacks which are not well supported using SNIDS. However, the performance of ANIDS in terms of false-positive rate is
very high.2These two systems can be well integrated leveraging the strength points of SNIDS and ANIDS.
Machine learning capabilities have been seen in many domains, particularly to detect zero-day attacks.4,5 Use of
deep learning algorithms to various cybersecurity application such as malware analysis, intrusion detection, and botnet
detection has improved the results significantly.6In this paper, ML and DL models are trained on the NSL-KDD data
Internet Technology Letters. 2020;e232. wileyonlinelibrary.com/journal/itl2 © 2020 John Wiley & Sons, Ltd. 1of5
https://doi.org/10.1002/itl2.232
2of5 RAWAT  .
set and various performance matrix are compared. Additionally, a NIDS is designed and tested exclusively based on
software-defined networking. The major contributions of the proposed work are given below.
This work proposes an unsupervised feature learning with deep learning integrated framework for NIDS.
Detailed investigation and analysis is shown on NSL-KDD dataset.
The advantage of dimensionality reduction technique is discussed towards attaining the best performances in
detection of network intrusions.
The paper starts with the related work for intrusion detection using network service access using machine learning
techniques and the advancements in the methods in Section 2. The paper follows by details about the dataset used for
the analysis in Section 3. The methodology section describes the details of the models built for intrusion detection in
Section 3. The study presents a comparative analysis of multiple machine learning models vs deep learning models in
Section 4. Conclusion and Future works are placed in Section 5.
2RELATED WORK
A self-taught learning-based NIDS is proposed in,7where a sparse autoencoder and softmax regression is used. The pro-
posed model is trained on the NSL-KDD dataset and it achieves an accuracy around 79.10% for 5-class classification which
is very close to the performance of other state-of-the-art models. Apart from this, 23-class and 2-class classification are also
achieving good performance. In,8the performance of RNN based NIDS is studied. The model is trained on the NSL-KDD
dataset, binary and multi-class classification are performed. The performance of RNN based IDS is far superior in both
classification when compared to other traditional approaches and the author claims that RNN based IDS has a strong
modeling capability for IDS. Unlike the above works,9proposes IDS for the SDN environment. A DNN based model is
trained on only six basic features taken from the NSL-KDD dataset with different learning rates and it achieves a max-
imum accuracy of 75.75%. In,10 a new stacked nonsymmetric deep autoencoder (NDAE) based NIDS is proposed. The
model has trained on both KDD Cup 99 and NSLKDD benchmark datasets and its performance is compared with DBN
based model. It can be observed from the experimental analysis that the NDAE based approach improves the accuracy of
up to 5% with 98.8% training time reduction when compared to DBN based approach. In,11 the authors have claimed that
modeling network traffic data as a time series improves the performance of IDS. They substantiate the claim by training
LSTM models with the KDD Cup dataset with a full and minimal feature set for 1000 epochs and have obtained a maxi-
mum accuracy of 93.82%. In,12 the effectiveness of CNN and CNN-RNN based models are studied. Models such as CNN,
CNN-LSTM, CNN-GRU, and CNN-RNN are trained on the KDD Cup dataset and it can be observed that CNN based model
outperforms hybrid CNN-RNN models. Unlike previously mentioned works,2analyses several ML-based approaches for
intrusion detection for identifying various issues. Issues related to the detection of low-frequency attacks are discussed
with a possible solution to improve the performance further. In,13 a highly scalable deep learning framework is proposed
for intrusion detection at both network and host level. Various ML and DNN models are trained on datasets such as KDD
Cup, NSLKDD, WSN-DS, UNSW-NB15, CICIDS 2017, ADFA-LD and ADFA-WD and their performance is compared.
3METHODOLOGY
3.1 Description of dataset
The network security datasets are available in two ways, First, from packet monitoring software such as Wireshark, Tcp-
dump, WinDump etc but these data will not be labeled and a lot of time will go into labeling hence may not be suitable
for modeling purposes but can serve the purpose of an out time validation data set in that ensures the robustness of the
ML/DL model. Second way is the use of open-source network security datasets available for free download, it saves data
acquisition time and increases efficiency of research because they require very less cleaning and are present in a condi-
tion suitable for a modeler, For example DARPA Intrusion detection dataset, KDD Cup 99 dataset, ADFA dataset, NSL
KDD dataset.2For our research used the NSL KDD dataset,14 it is a better version of the KDD Cup 99 dataset. One of
the major drawbacks with the KDD Cup 99 dataset is a large number of duplicate observations in test and train, the NSL
KDD dataset overcomes these limitations hence, it suits our purpose of building robust predictive models.
For each observation in the NSL KDD dataset, there are 41 features, 3 are nominal, 4 are binary and the remaining 34
are continuous variables. It has 23 traffic classes in the training dataset and 30 in the test dataset. These attacks can be
clustered into four main categories DOS, probing, U2R and R2L. The features are classified into 3 broad types (a) basic
RAWAT  . 3of5
TABLE 1 Dataset network intrusion details Traffic Train Test
Normal 67 343 9711
Dos 45 927 7458
U2R 52 67
R2L 995 2887
Probe 11 656 2421
TABLE 2 Subcategories of intrusions
under each broader class intrusion (The
high- lighted attacks are only present in the
test dataset)
Category Attacks
DoS back, land, neptune, pod, smurf, teardrop, mailbomb, processtable,
udpstorm, apache2, worm
R2L ftp-write, guess-passwd, imap, multihop, phf, spy, warezmaster, xlock,
xsnoop, snmpguess, snmpgetattack, httptunnel, sendmail, named
U2R buffer-overflow, loadmodule, perl, rootkit, sqlattack, xterm, ps
Probe ipsweep, nmap, portsweep, satan, mscan, saint
features, (b) content-based features and (c) traffic-based features. The attack information of the NLS-KDD dataset is listed
in Tables 1 and 2.
3.2 Model architecture
The proposal includes an unsupervised feature selection combined with the deep neural network and a deep neural
network without unsupervised feature selection. Following the hyperparameter selection study, the Deep Neural Network
of 5-layers was created. The deep neural network is an advanced model of classical feed-forward network (FNN). As the
name indicates the DNN contains many hidden layers along with the input and output layer. When the number of layer
increases in FFN causes the vanishing and exploding gradient issue. To handle the vanishing and exploding gradient
issue, the ReLU non-linear activation was introduced. ReLU helps to protect weights from vanishing by the gradient error.
Compared to other non-linear functions, ReLU is more robust to the first-order derivative function since it does not zero
for high positive and negative values of the domain. The proposed DNN architecture contains an input layer, five hidden
layers, and an output layer. The output layer of DNN contains Sigmoid activation function with a unit, which results in
either 0 or 1. The value 0 indicates normal and 1 indicates an attack. The DNN model uses binary cross-entropy as loss
function that can be defined as follows
loss(p,e)=−1
N
N
i=1
[eilog(pi)+(1ei)log(1pi)] (1)
Where p=predicted labels vector, e=truth/expected label vector.
4EVALUATION & RESULTS
Deep neural networks (DNNs) were trained using GPU enabled TensorFlow* as backend with Kerasframework. The
learning rate of proposed DNN model is set to 0.01, optimizer to adam and batch size to 64. To compare the performance
of various models using the NSL-KDD dataset, the following different scenarios were taken into consideration.
1. Classification of the network connection records as normal or attack considering all features present in the NSL-KDD
dataset.
2. Classification of the network connection records as normal or attack considering minimal feature set9present in the
NSL-KDD dataset.
4of5 RAWAT  .
TABLE 3 Model performance with all features
Algorithm Train Accuracy Validation Accuracy Test Accuracy
Decision Tree 1.0 0.9978 0.778
Extra Tree 1.00.9973 0.767
Ensemble Extra Tree 1.0 0.999 0.769
Light GBM 0.996 0.989 0.776
Deep Neural Network 0.949 0.972 0.772
PCA +Deep Neural Network 0.967 0.982 0.793
TABLE 4 Model performance with 6 SDN features
Algorithm Train Accuracy Validation Accuracy Test Accuracy
Decision Tree 0.978 0.975 0.712
Extra Tree 0.978 0.973 0.744
Ensemble Extra Tree 0.978 0.974 0.736
Light GBM 0.976 0.966 0.742
Deep Neural Network 0.948 0.955 0.759
The network connection records in the dataset are either Normal or Attack in the case of binary classification.
1. True Positive (TP) - connections that were accurately classified as the Normal class.
2. True Negative (TN) - connections that were accurately classified as the Attack class.
3. False Positive (FP) - Normal connection inaccurately classified as the Attack connection.
4. False Negative (FN) - Attack connection inaccurately classified as the Normal connection.
Accuracy: It the ratio of the accurately classified network connections to the entire test dataset. Larger the accuracy
better the classification model, the range of accuracy score is between 0 and 1. Accuracy score is defined as follows
Accuracy =TP +TN
TP +TN +FP +FN (2)
The models built for the study include training Decision Tree, Extra Tree, Ensemble Extra Tree, and Light GBM and
DNN. In addition to the analysis, instead of using all features as the input to the DNN, PCA15 was applied on the 41
features to extract 15 reduced features and then fed into DNN. The hyperparameters were tuned for all the aforementioned
models, whose details are not explicitly mentioned in the paper. All the models were run on train data of NSL-KDD with
stratified cross-validation and later tested on the test data of NSL-KDD. As mentioned in the model architecture section,
the models were trained and tested on 41 features and 6 features separately. According to multiple types of research by
Tang et al.,9the intrusion dataset consists of six features that depict the Software Defined Networking features, namely
duration, protocol type, source byte, destination byte, same host connection, and same service connection. To observe the
relative performance of the predictive model over using all intrusion features vs SDN features, the models were built using
just these six features. The results from the models on train, validation and test sets are presented in Tables 3 and 4 for
the NSL-KDD dataset with 41 features and NSL-KDD dataset with minimal feature sets. The classical models performed
better than the DNN on NSL-KDD dataset with 41 features. However, The DNN model performances better than the
classical modes with minimal feature sets. Also, the performance attained by all the models with minimal feature sets is
closer to 41 feature sets of the NSL-KDD dataset. This infers that all 41 features are not significant and most importantly
the DNN model performed better on the reduced dataset. This indicates that the PCA is an important approach which
helps to reduce the noisy features in the dataset.
5CONCLUSION AND FUTURE WORK
In this paper, a deep learning algorithm for intrusion detection in networks was implemented and evaluated. As seen in
the test dataset, there are multiple new intrusions were seen within each broader category. When the model was trained
RAWAT  . 5of5
and evaluated on the train-validation split, the model performance was quite high, compared to test set accuracy, where
new intrusions are seen. Compared to all other classifiers, the deep neural network presents a much better model fitting
and better accuracy on the test set with a 0.793 accuracy. The other models seem to overfit the training data while perform-
ing less effectively on recognizing the intrusion patterns in the test data. Another implementation focuses on the Software
Defined Networking variables for model training and evaluation. With just the six features out of the 41 features, the deep
learning model gives an accuracy of 0.759 on the test set with unseen intrusions. In the future, we plan to implement a
continuous real-time model training to have better performance rather than model training on static data. In addition, the
proposed model can be evaluated on the recently released benchmark NIDS datasets along with the NSL-KDD to show
that the proposed model is more generalizable and can detect new types of attacks. This has been considered as one of
the significant directions towards future works.
ENDNOTES
https://www.tensorflow.org/
https://keras.io/
ORCID
Vinayakumar Ravi https://orcid.org/0000-0001-6873-6469
REFERENCES
1. Vinayakumar R, Alazab M, Srinivasan S, Pham QV, Padannayil SK, Simran K. A visualized botnet detection system based deep learning
for the internet of things networks of smart cities. IEEE Trans Indus Appl. 2020;56:4436-4456.
2. Mishra P, Varadharajan V, Tupakula U, Pilli ES. A detailed investigation and analysis of using machine learning techniques for intrusion
detection. IEEE Commun Surv Tut. 2018;21(1):686-728.
3. Vinayakumar, R., Soman, K. P., & Poornachandran, P.. Evaluating effectiveness of shallow and deep networks to intrusion detection
system. In 2017 International Conference on Advances in Computing, Communications and Informatics (ICACCI); September 2017:
1282-1289. IEEE.
4. Vinayakumar R, Soman KP, Poornachandran P. A comparative analysis of deep learning approaches for network intrusion detection
systems (N-IDSs): deep learning for N-IDSs. Int J Dig Crime Foren. 2019;11(3):65-89.
5. Vinayakumar R, Soman KP, Poornachandran P. Evaluation of recurrent neural network and its variants for intrusion detection system
(IDS). Int J Inform Syst Model Des. 2017;8(3):43-63.
6. Singla A, Bertino E. How deep learning is making information security more intelligent. IEEE Secur Privacy. 2019;17(3):56-65.
7. Javaid, A., Niyaz, Q., Sun, W., & Alam, M.. A deep learning approach for network intrusion detection system. In Proceedings of the 9th
EAI International Conference on Bio-inspired Information and Communications Technologies (formerly BIONETICS); May 2016: 21-26.
8. Yin C, Zhu Y, Fei J, He X. A deep learning approach for intrusion detection using recurrent neural networks. IEEE Access.
2017;5:21954-21961.
9. Tang, T. A., Mhamdi, L., McLernon, D., Zaidi, S. A. R., & Ghogho, M.. Deep learning approach for network intrusion detection in software
defined networking. In 2016 International Conference on Wireless Networks and Mobile Communications (WINCOM); October 2016;
258-263. IEEE.
10. Shone N, Ngoc TN, Phai VD, Shi Q. A deep learning approach to network intrusion detection. IEEE Trans Emerg Top Comput Intel.
2018;2(1):41-50.
11. Staudemeyer RC. Applying long short-term memory recurrent neural networks to intrusion detection. South Afr Comput J.
2015;56(1):136-154.
12. Vinayakumar, R., Soman, K. P., & Poornachandran, P.. Applying convolutional neural network for network intrusion detection. In 2017
International Conference on Advances in Computing, Communications and Informatics (ICACCI); September 2017: 1222-1228. IEEE.
13. Vinayakumar R, Alazab M, Soman KP, Poornachandran P, Al-Nemrat A, Venkatraman S. Deep learning approach for intelligent intrusion
detection system. IEEE Access. 2019;7:41525-41550.
14. Tavallaee, M., Bagheri, E., Lu, W., & Ghorbani, A. A.. A detailed analysis of the KDD CUP 99 data set. In 2009 IEEE symposium on
computational intelligence for security and defense applications; July 2009: 1-6. IEEE.
15. RM SP, Maddikunta PKR, Parimala M, et al. An effective feature engineering for DNN using hybrid PCA-GWO for intrusion detection in
IoMT architecture. Comput Commun. 2020.
How to cite this article: Rawat S, Srinivasan A, Ravi V, Ghosh U. Intrusion detection systems using classical
machine learning techniques vs integrated unsupervised feature learning and deep neural network. Internet
Technology Letters. 2020;e232. https://doi.org/10.1002/itl2.232
... Lack of a systematic dataset: This study brought to light the lack of a current dataset reflecting new attacks on contempo- [35]. Because these models were not trained with enough attack kinds and patterns, the majority of the offered approaches were unable to detect zero-day attacks [36]. An effective IDS model must be tested and validated on a dataset containing both older and more recent attacks. ...
Intrusion Detection Using Machine Learning and Deep Learning Models on Cyber Security Attacks
Article
  • Jun 2024
To detect and stop harmful activity in computer networks, network intrusion detection is an essential part of cybersecurity defensive systems. It is becoming more difficult for traditional rule-based techniques to identify new attack vectors in the face of the increasing complexity and diversity of cyber threats. Machine learning (ML) and deep learning (DL) models can analyze vast amounts of network traffic data and automatically identify patterns and anomalies, there has been a surge in interest in using these models for network intrusion detection. This paper examines the approaches, algorithms, and real-world applications of machine learning and deep learning techniques for network intrusion detection in order to present a thorough review of the state-of-the-art in countering cyber threats. We assess ML and DL-based intrusion detection systems' effectiveness, strengths, and weaknesses in a range of attack scenarios and network environments by synthesizing current literature and empirical research. Additionally, we talk about new developments, obstacles, and paths forward in the areas of transfer learning, adversar-ial robustness, and ensemble learning. The understanding gained from this investigation clarifies the potential of ML and DL models in strengthening defenses against changing cyber threats, reducing risks, and protecting vital assets. In deep learning autoencode accuracy 68% less than other models. The performance of the CNN and LSTM algorithm is impressive and outperformed with 100% accuracy on cyber security attacks datasets. Machine learning algorithm accuracy rate of SVM and KNN 100% while logistic regression accuracy is 99% GNB accuracy 80% with training data of the models. The overall models perforamance deep learning increadible accuracy with 100% on the training and testing data.
View
... In unsupervised learning, the algorithm learns the structure from the unlabeled input data [77]. Without knowing the specific sorts of intrusions, it instead looks for trends, abnormalities, or clusters in the network traffic data. ...
Intrusion detection systems for software-defined networks: a comprehensive study on machine learning-based techniques
Article
Full-text available
  • Apr 2024
  • CLUSTER COMPUT
There has been a discernible rise in the growth and progress of the Internet, networking, and mobile communication. The complexity of networking systems has increased due to the advancements in devices, resources, and infrastructure. A novel and developing network technology called software-defined networking (SDN), gets beyond the drawbacks of conventional networks and gives networking systems intelligent control. While SDN is the most adaptable and promising network management control solution, its implementation also introduces a number of new security risks. There is a need to deploy networking systems intelligently to manage, optimize, and organize these complex systems. Machine learning (ML) approaches have been extensively utilized to detect many attacks, and an ML technique may assist the network administrator in taking the necessary precautions to avoid intrusions. In SDN, ML techniques are used to manage the network and make Network Intrusion Detection Systems (NIDS) detect network attacks like Distributed Denial of Service (DDoS) and Denial of Service (DoS) attacks. This paper comprehensively surveys ML and Deep Learning (DL) algorithms and techniques used for intrusion detection in SDN. Different studies are categorized accordingly, such as supervised, unsupervised, and deep learning models. Research studies are compared in the form of a table, and learned lessons are also leveraged for each category. Finally, this survey presents the key challenges faced in implementing different intrusion detection techniques in SDN before comprehensively highlighting future research directions.
View
... The purpose of the present work is to conduct a comprehensive assessment of ML methods and DL methods in the context of intrusion detection [21]. This paper provides a summary of recent work and compares the experimental results of various researchers about the detection of [22]examines the performance of traditional machine learning methods, which require considerable feature engineering, in comparison to integrated unsupervised feature learning and deep neural networks.Hameed et al. [3]provides a structure for identifying different attack categories that can be performed against a network. For the purpose of attack detection, a total of five distinct methods, namely Random Forest, Decision Tree, Logistic Regression, K-Nearest Neighbors, and Artificial Neural Networks, were utilized. ...
View
... By harnessing the power of deep learning, significant enhancements have been achieved in these areas, ultimately bolstering the security and safeguarding of our online environment [3]. The fundamental objective of this paper is to furnish a complete and all-encompassing evaluation of the literature concerning the application of AI approaches to identify breaches in the context of software-defined networking. ...
A review of Artificial Intelligence Algorithms (Machine Learning Algorithm) for Intrusion Detection in Software-Defined Networking
Preprint
  • Mar 2024
Demands for flexible and seamless system management necessitated the growth of software-defined networks (SDN). Yet, securing these environments with effective measures is critical as SDN continues to evolve into more intricate architectures. Intrusion detection is paramount among these measures; thus far, studies suggest that artificial intelligence (AI) approaches may be helpful in this domain. By systematically examining relevant works addressing AI-based intrusion prevention strategies within hyper-evolved SDN settings, our review aims to present an inclusive evaluation alongside suggesting areas requiring additional scrutiny. This research introduces readers to key concepts related to SDN and how deep learning algorithms, machine learning algorithms, and neural networks can be applied for effective intrusion detection within an SDN environment. Drawing from existing literature on this subject matter, our analysis critically examines the benefits and drawbacks of these AI-based techniques while highlighting gaps in knowledge requiring further research attention. Some areas include real-time protection capabilities, scalability concerns, and seamless integration with different security mechanisms. We then present future research directions in this area. This literature review employs a systematic approach to elucidate the current research on using AI methods to detect intrusions in SDN.
View
... There are more challenges while detecting unexpected attacks. The study used PCA [27] for feature selection to show the effectiveness of selecting features. Violations of policy and unapproved access increase the importance of IDS [28]. ...
Intrusion detection using KK-RF and balanced Gini - Entropy approach
Article
Full-text available
  • Feb 2024
  • MULTIMED TOOLS APPL
In the era of advanced cyber developments, intrusions becomes a common event in any network. Although there are research studies and developers found ways to improve the detection models, there is some problem that persists in the intrusion models such as extracting key features from a large dataset, and delayed detection is a critical issue that needs to be addressed. Hence the proposed study aimed to develop a model that could extract key features from the dataset and use them effectively in the detection of threats. The study incorporates two approaches, one is feature extraction by the K-Nearest Neighbourhood, and feature selection by the K-Best approach. And the other is the balanced Gini-Entropy approach for the Random Forest (RF) classifier. This combined approach by KNN, K-best, and RF is referred to as (KK-RF). This combined approach of feature extraction, selection, and classification results in an effective threat detection model with high accuracy of about 99.61%. Moreover the proposed model has achieved precision and the recall rates of 97.3 and 96.6% respectively. Concurrently, the model attained markable F1-score of 96.6 respectively. Also, from the comparison results, it is observed that the proposed model had higher performance.
View
... Aamir et al. [44] proposed a clustering-based approach to distinguish network traffic data, using machine learning algorithms like k-nearest neighbor, support vector machine, and random forest. Rawat et al. [45] compared machine learning methods and neural networks for intrusion detection, achieving 79.3% accuracy in the NSL-KDD database using the Principal Component Analysis (PCA) algorithm. The study [46] introduced an intrusion detection system using simple Bayes algorithms and support vector machine, with a 93.95% accuracy rate. ...
Anomaly detection in IOT edge computing using deep learning and instance-level horizontal reduction
Article
Full-text available
  • Dec 2023
  • J SUPERCOMPUT
The increasing number of network attacks has led to the development of intrusion detection systems. However, these methods often face limitations such as high traffic flow data dimensions, which can reduce attack detection rates and noise sensitivity, affecting anomaly detection performance. This paper introduces a new model based on recurrent deep learning and instance-level horizontal reduction to detect anomalies and network attacks. The model uses nested sliding windows, which move with a specific step in the data and generate a different number of histogram outputs based on the type of anomaly in the data. Evaluation results on five databases show that the proposed model achieves a high accuracy of 99% in detecting different attacks, demonstrating the success of this new approach combined with deep recurrent neural networks in detecting anomalies.
View
View
View
A new approach for heart disease detection using Motif transform-based CWT's time-frequency images with DenseNet deep transfer learning methods
Article
Objectives: Electrocardiogram (ECG) signals are extensively utilized in the identification and assessment of diverse cardiac conditions, including congestive heart failure (CHF) and cardiac arrhythmias (ARR), which present potential hazards to human health. With the aim of facilitating disease diagnosis and assessment, advanced computer-aided systems are being developed to analyze ECG signals. Methods: This study proposes a state-of-the-art ECG data pattern recognition algorithm based on Continuous Wavelet Transform (CWT) as a novel signal preprocessing model. The Motif Transformation (MT) method was devised to diminish the drawbacks and limitations inherent in the CWT, such as the issue of boundary effects, limited localization in time and frequency, and overfitting conditions. This transformation technique facilitates the formation of diverse patterns (motifs) within the signals. The patterns (motifs) are constructed by comparing the amplitudes of each individual sample value in the ECG signals in terms of their largeness and smallness. In the subsequent stage, the obtained one-dimensional signals from the MT transformation were subjected to CWT to obtain scalogram images. In the last stage, the obtained scalogram images were subjected to classification using DenseNET deep transfer learning techniques. Results and conclusions: The combined approach of MT + CWT + DenseNET yielded an impressive success rate of 99.31 %.
View
A conjugate self-organizing migration (CSOM) and reconciliate multi-agent Markov learning (RMML) based cyborg intelligence mechanism for smart city security
Article
Full-text available
  • Sep 2023
Ensuring the privacy and trustworthiness of smart city—Internet of Things (IoT) networks have recently remained the central problem. Cyborg intelligence is one of the most popular and advanced technologies suitable for securing smart city networks against cyber threats. Various machine learning and deep learning-based cyborg intelligence mechanisms have been developed to protect smart city networks by ensuring property, security, and privacy. However, it limits the critical problems of high time complexity, computational cost, difficulty to understand, and reduced level of security. Therefore, the proposed work intends to implement a group of novel methodologies for developing an effective Cyborg intelligence security model to secure smart city systems. Here, the Quantized Identical Data Imputation (QIDI) mechanism is implemented at first for data preprocessing and normalization. Then, the Conjugate Self-Organizing Migration (CSOM) optimization algorithm is deployed to select the most relevant features to train the classifier, which also supports increased detection accuracy. Moreover, the Reconciliate Multi-Agent Markov Learning (RMML) based classification algorithm is used to predict the intrusion with its appropriate classes. The original contribution of this work is to develop a novel Cyborg intelligence framework for protecting smart city networks from modern cyber-threats. In this system, a combination of unique and intelligent mechanisms are implemented to ensure the security of smart city networks. It includes QIDI for data filtering, CSOM for feature optimization and dimensionality reduction, and RMML for categorizing the type of intrusion. By using these methodologies, the overall attack detection performance and efficiency have been greatly increased in the proposed cyborg model. Here, the main reason of using CSOM methodology is to increase the learning speed and prediction performance of the classifier while detecting intrusions from the smart city networks. Moreover, the CSOM provides the optimized set of features for improving the training and testing operations of classifier with high accuracy and efficiency. Among other methodologies, the CSOM has the unique characteristics of increased searching efficiency, high convergence, and fast processing speed. During the evaluation, the different types of cyber-threat datasets are considered for testing and validation, and the results are compared with the recent state-of-the-art model approaches.
View
A Visualized Botnet Detection System Based Deep Learning for the Internet of Things Networks of Smart Cities
Article
Full-text available
  • Jul 2020
Internet of things (IoT) applications for smart cities have currently become a primary target for advanced persistent threats (APT) of botnets. This paper proposes a botnet detection system based on a two-level deep learning framework for semantically discriminating botnets and legitimate behaviors at the application layer of the domain name system (DNS) services. In the first level of the framework, the similarity measures of DNS queries are estimated using siamese networks based on a predefined threshold for selecting the most frequent DNS information across Ethernet connections. In the second level of the framework, a domain generation algorithm (DGA) based on deep learning architectures is suggested for categorizing normal and abnormal domain names. The framework is highly scalable on a commodity hardware server due to its potential design of analyzing DNS data. The proposed framework was evaluated using two data sets and was compared with recent deep learning models. Various visualization methods were also employed to understand the characteristics of the data set and to visualize the embedding features. The experimental results revealed substantial improvements in terms of F1-score, speed of detection and false alarm rate.
View
A Comparative Analysis of Deep Learning Approaches for Network Intrusion Detection Systems (N-IDSs): Deep Learning for N-IDSs
Article
Full-text available
  • Jan 2019
Recently, due to the advance and impressive results of deep learning techniques in the fields of image recognition, natural language processing and speech recognition for various long-standing artificial intelligence (AI) tasks, there has been a great interest in applying towards security tasks too. This article focuses on applying these deep taxonomy techniques to network intrusion detection system (N-IDS) with the aim to enhance the performance in classifying the network connections as either good or bad. To substantiate this to NIDS, this article models network traffic as a time series data, specifically transmission control protocol / internet protocol (TCP/IP) packets in a predefined time-window with a supervised deep learning methods such as recurrent neural network (RNN), identity matrix of initialized values typically termed as identity recurrent neural network (IRNN), long short-term memory (LSTM), clock-work RNN (CWRNN) and gated recurrent unit (GRU), utilizing connection records of KDDCup-99 challenge data set. The main interest is given to evaluate the performance of RNN over newly introduced method such as LSTM and IRNN to alleviate the vanishing and exploding gradient problem in memorizing the long-term dependencies. The efficient network architecture for all deep models is chosen based on comparing the performance of various network topologies and network parameters. The experiments of such chosen efficient configurations of deep models were run up to 1,000 epochs by varying learning-rates between 0.01-05. The observed results of IRNN are relatively close to the performance of LSTM on KDDCup-99 NIDS data set. In addition to KDDCup-99, the effectiveness of deep model architectures are evaluated on refined version of KDDCup-99: NSL-KDD and most recent one, UNSW-NB15 NIDS datasets. Copyright © 2019, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
View
Deep Learning Approach for Intelligent Intrusion Detection System
Article
Full-text available
  • Apr 2019
Machine learning techniques are being widely used to develop an intrusion detection system (IDS) for detecting and classifying cyber-attacks at the network-level and host-level in a timely and automatic manner. However, many challenges arise since malicious attacks are continually changing and are occurring in very large volumes requiring a scalable solution. There are different malware datasets available publicly for further research by cyber security community. However, no existing study has shown the detailed analysis of the performance of various machine learning algorithms on various publicly available datasets. Due to the dynamic nature of malware with continuously changing attacking methods, the malware datasets available publicly are to be updated systematically and benchmarked. In this paper, deep neural network (DNN), a type of deep learning model is explored to develop a flexible and effective IDS to detect and classify unforeseen and unpredictable cyber-attacks. The continuous change in network behaviour and rapid evolution of attacks makes it necessary to evaluate various datasets which are generated over the years through static and dynamic approaches. This type of study facilitates to identify the best algorithm which can effectively work in detecting future cyber-attacks. A comprehensive evaluation of experiments of DNNs and other classical machine learning classifiers are shown on various publicly available benchmark malware datasets. The optimal network parameters and network topologies for DNNs is chosen through following hyper parameter selection methods with KDDCup 99 dataset. All experiments of DNNs are run till 1,000 epochs with learning rate varying in the range [0.01-0.5]. The DNN model which performed well on KDDCup 99 is applied on other datasets such as NSL-KDD, UNSW-NB15, Kyoto, WSN-DS and CICIDS 2017 to conduct the benchmark. Our DNN model learns the abstract and high dimensional feature representation of the IDS data by passing them into many hidden layers. Through a rigorous experimental testing it is confirmed that DNNs perform well in comparison to the classical machine learning classifiers. Finally, we propose a highly scalable and hybrid DNNs framework called Scale-Hybrid-IDS-AlertNet (SHIA) which can be used in real time to effectively monitor the network traffic and host-level events to proactively alert possible cyber-attacks
View
Evaluation of Recurrent Neural Network and its Variants for Intrusion Detection System (IDS)
Article
Full-text available
  • Jul 2017
This article describes how sequential data modeling is a relevant task in Cybersecurity. Sequences are attributed temporal characteristics either explicitly or implicitly. Recurrent neural networks (RNNs) are a subset of artificial neural networks (ANNs) which have appeared as a powerful, principle approach to learn dynamic temporal behaviors in an arbitrary length of large-scale sequence data. Furthermore, stacked recurrent neural networks (S-RNNs) have the potential to learn complex temporal behaviors quickly, including sparse representations. To leverage this, the authors model network traffic as a time series, particularly transmission control protocol / internet protocol (TCP/IP) packets in a predefined time range with a supervised learning method, using millions of known good and bad network connections. To find out the best architecture, the authors complete a comprehensive review of various RNN architectures with its network parameters and network structures. Ideally, as a test bed, they use the existing benchmark Defense Advanced Research Projects Agency / Knowledge Discovery and Data Mining (DARPA) / (KDD) Cup ‘99’ intrusion detection (ID) contest data set to show the efficacy of these various RNN architectures. All the experiments of deep learning architectures are run up to 1000 epochs with a learning rate in the range [0.01-0.5] on a GPU-enabled TensorFlow and experiments of traditional machine learning algorithms are done using Scikit-learn. Experiments of families of RNN architecture achieved a low false positive rate in comparison to the traditional machine learning classifiers. The primary reason is that RNN architectures are able to store information for long-term dependencies over time-lags and to adjust with successive connection sequence information. In addition, the effectiveness of RNN architectures are shown for the UNSW-NB15 data set.
View
View
View
An effective feature engineering for DNN using hybrid PCA-GWO for intrusion detection in IoMT architecture
Article
  • Jun 2020
  • COMPUT COMMUN
The entire computing paradigm is changed due to the technological advancements in Information and Communication Technology (ICT). Due to these advancements, various new communication channels are being introduced, out of which the Internet of Things (IoT) plays a significant role. The Internet of Medical Things (IoMT) is a special category of IoT in which the medical devices communicate with each other for sharing sensitive data. These advancements help the healthcare industry to have better contact and care towards their patients. But they too have certain drawbacks since there are so many security and privacy issues like replay, man-in-the-middle, impersonation, privileged-insider, remote hijacking, password guessing, denial of service (DoS) attacks and malware attacks. When the sensitive data is being attacked by any of these attacks, there is a chance of losing the authorized data to the attacker or getting altered due to which the data is not available for the authorized users and customers. Machine learning algorithms are widely used in the Intrusion Detection System (IDS) for detecting and classifying the attacks at the network and host level in a dynamic manner. Many supervised and unsupervised algorithms have been designed by researchers from the area of machine learning and data mining to identify the reliable detection of an anomaly. However, the main challenge in the IDS models are changed in dynamic and random behavior of malicious attacks and designing a scalable solution that can handle this behavior. The rapid change in network behavior and the fast evolution of various attacks paved the way for evaluating various datasets that are generated over the years and to design different dynamic approaches. In this paper, a deep neural network (DNN) is used to develop effective and efficient IDS in the IoMT environment to classify and predict unforeseen cyberattacks. The network parameter are preprocessed, optimized and tuned by hyperparameter selection methods. A comprehensive analysis of experiments in DNN with other machine learning algorithms are compared on the benchmark intrusion detection dataset. Through rigorous testing, it has proved that the proposed DNN model performs better than the existing machine learning approaches with an increase in accuracy by 15% and decreases in time complexity by 32%, which helps in faster alerts to avoid post effects of intrusion in sensitive cloud data storage.
View
How Deep Learning Is Making Information Security More Intelligent
Article
  • May 2019
Manually analyzing vast amounts of newly released malware is a significant problem for the security community. Deep-learning techniques have recently been employed to automate security tasks such as malware analysis, intrusion detection, and botnet detection. We look at such techniques and investigate how practical and secure they are.
View
A Detailed Investigation and Analysis of Using Machine Learning Techniques for Intrusion Detection
Article
  • Jun 2018
Intrusion detection is one of the important security problems in today’s cyber world. A significant number of techniques have been developed which are based on machine learning approaches. However, they are not very successful in identifying all types of intrusions. In this paper, a detailed investigation and analysis of various machine learning techniques have been carried out for finding the cause of problems associated with various machine learning techniques in detecting intrusive activities. Attack classification and mapping of the attack features is provided corresponding to each attack. Issues which are related to detecting low-frequency attacks using network attack dataset are also discussed and viable methods are suggested for improvement. Machine learning techniques have been analyzed and compared in terms of their detection capability for detecting the various category of attacks. Limitations associated with each category of them are also discussed. Various data mining tools for machine learning have also been included in the paper. At the end, future directions are provided for attack detection using machine learning techniques.
View
A Deep Learning Approach to Network Intrusion Detection
Article
  • Feb 2018
Network intrusion detection systems (NIDSs) play a crucial role in defending computer networks. However, there are concerns regarding the feasibility and sustainability of current approaches when faced with the demands of modern networks. More specifically, these concerns relate to the increasing levels of required human interaction and the decreasing levels of detection accuracy. This paper presents a novel deep learning technique for intrusion detection, which addresses these concerns. We detail our proposed nonsymmetric deep autoencoder (NDAE) for unsupervised feature learning. Furthermore, we also propose our novel deep learning classification model constructed using stacked NDAEs. Our proposed classifier has been implemented in graphics processing unit (GPU)-enabled TensorFlow and evaluated using the benchmark KDD Cup ’99 and NSL-KDD datasets. Promising results have been obtained from our model thus far, demonstrating improvements over existing approaches and the strong potential for use in modern NIDSs.
View